EPIC logo

[A PDF version of this document, complete with appendixes, is available here.]

October 11, 2005
Food and Drug Administration
Division of Dockets Management
5630 Fishers Lane, Rm 1061
Rockville, MD 20852

Re: Comments of the Electronic Privacy Information Center on Consumer-Directed Promotion of Regulated Medical Products / Docket No. 2005N-0354

The Electronic Privacy Information Center West Coast Office ("EPIC") submits these comments to the Food and Drug Administration Public Hearing on Consumer-Directed Promotion of Regulated Medical Products.[1]  EPIC is a public interest research center in Washington, D.C. It was established in 1994 to focus public attention on emerging civil liberties issues and to protect privacy, the First Amendment, and constitutional values.  EPIC's West Coast Office is located in San Francisco, CA, and focuses on consumer privacy issues.

We wish to highlight an issue in direct-to-consumer medical marketing that has not received adequate attention: the use of databases of personal information to target individuals with medical ailments thorough direct mail or other forms of direct marketing.  We are concerned that with heightened attention to traditional mass-circulation print and broadcast advertising will result in marketers increasing information collection efforts for targeted solicitations.  Already, Florida residents have been targeted for an unsolicited package of Prozac by mail.  One woman received the Prozac samples despite not have taken the drug for years.  A sixteen-year old, despite never having taken Prozac, received a month's supply.[2]

There are several reasons why a shift to this marketing channel presents risks to privacy and consumer welfare:  First, data brokers, companies that amass personal information and sell it to marketers and others, can enable targeting of direct-to-consumer advertising to vulnerable populations.  This risk is exacerbated by the fact that, unlike mass-circulation print and broadcast advertising, targeted solicitations are harder for public health authorities to monitor.  Second, medical information is often gathered in a deceptive fashion.  Consumers are often presented with product warranty or registration cards that solicit medical information, with the false implication that completing the card is necessary to enjoy protection for a product.  Finally, this medical information is being gathered outside the protections of the Health Insurance Portability and Accountability Act's Privacy Regulations.  Individuals who give their medical ailment information to marketers have no ability to "opt-out" of the data collection, to access their data or correct it, or order that the data be deleted.

The Risk of Targeting Vulnerable Populations

The FDA recognizes that, "[s]ome consumer audiences may be more susceptible to being misled by false or misleading promotion."  In the direct marketing context, information databases allow marketers to identify susceptible groups and target them for solicitations.  Data brokers have sold "sucker" lists, databases of individuals labeled as "impulsive," those who have fallen for scams, or those otherwise lacking the capacity to evaluate a marketing representation.  For instance, just last month, DMNews, a leading direct marketing publication, carried this advertisement for a database of personal information:

eye of ra database ad

Direct marketers never label these lists as "sucker" databases, but between the lines, the label is communicated very clearly: this is a database of "impulsive" individuals who purchased a pendant "advertised as having a fragment of the Eye of Ra inside it," with the belief that the pendant will "change their life, awaken their inner consciousness and bring them wealth."[3]

In other areas, data broker companies advertise that their databases include "psychographic" data.  This can include databases that are segmented by age, by a medical condition, or by behavior that correlates with an impairment in reasoning.  For instance, the Iowa Attorney General has initiated a probe of database seller "Walter Karl" for providing lists to scam artists.[4]  The company sells databases that claim to include "impulsive buyers…primarily mature" and "highly impulsive consumers…sure to respond to all of your low-end offers."[5]

Exacerbating this problem is the fact that it is difficult for authorities to detect these scams.  Unlike mass media advertising, direct marketing can be targeted to individuals and therefore not exposed to the general public.  Large deceptive mailing can continue unless a specific person complains, and that complaint is investigated. 

Deceptive Gathering of Medical Information for Marketing

A great amount of medical information is solicited from consumers through product registration cards.  These cards accompany many consumer products.  Consumer complete these cards for two main reasons: first, the manufacturer falsely implies that it must be completed in order to enjoy a product warranty.  Second, registration may increase the likelihood that one receives information about product recalls.

The registration cards almost always 1) solicit information completely unrelated to warranty and recall information, 2) do not inform the consumer that providing the information is discretionary, and 3) fail to notify the customer that the information solicited is wholly unprotected by privacy law, and may be used for any purpose.  We believe that this collection of information is deceptive, and if consumers were made aware of the ultimate uses of personal information, they would object and leave the card blank.

Data brokers collect personal medical information in other deceptive ways for marketing.  For instance, attached to these comments is an advertisement from Hippo Direct for "People with Ailments" databases.  It notes that the information was gathered from:

telephone and mail order purchase information, rebate coupons, prescription records, subscription order forms, warranty card registrations, 800# respondents, sweepstakes entry forms, trade show/conference attendee rosters, and consumer surveys & questionnaires

In almost all of these contexts, individuals are not told that information they provide is sold for secondary marketing purposes.  Furthermore, Hippo Direct is claiming that some of this information is collected from prescription records, a practice that does not comport with individuals expectation of privacy with their pharmacy.

In sum, there are two risks here: a switch to direct mail drug advertising may drive more deceptive collection of personal medical information.  Additionally, individuals will have no idea how a drug company obtained their name and medical information, since the data are almost always collected without the individual's specific knowledge.  As explained more fully in the section below, they will also be helpless to stop the marketing communication should it be unwanted.

Data Collected Are Not Subject to Privacy Protections

The Health Insurance Portability and Accountability Act's Privacy Rule (HIPAA) sets forth rules for the collection, use, retention, and disclosure of medical information.  However, HIPAA only applies to a limited range of companies, and the marketing entities collecting data are not "covered entities."  Because these marketing companies are not covered by HIPAA or other federal privacy laws, individuals have little ability to control how data are used.  There is no requirement that these companies give notice of their practices.  There is often no ability to opt-out of disclosure of information.  There is no right to access or correct data.  Nor is there an ability to delete information, should one no longer wish to be in the marketing databases.

In conclusion, we urge the FDA to consider in its public hearing and in other proceedings the risks posed by an increase in the use of personal information to target direct-to-consumer advertising.  New database technology makes it simple for marketers to target vulnerable groups, thus raising the risk of consumer deception.  Medical data collected by the marketing industry is collected in a deceptive fashion, without individuals' informed consent.  Finally, much of the medical data used to target solicitations is wholly outside the protections of federal and state privacy law.  

Respectfully submitted,

Chris Hoofnagle
Senior Counsel
Electronic Privacy Information Center West Coast Office
944 Market St. #709
San Francisco, CA 94102

[1] Department of Health and Human Services, Food and Drug Administration, Consumer-Directed Promotion of Regulated Medical Products; Public Hearing, 70 Fed. Reg. 54054 (Sept. 13. 2005).

[2] Glenn Singer, Judge Upholds Legality of Prozac Mailing, South Florida Sun Sentinel, May 17, 2005.

[3] http://www.dmnews.com/cgi-bin/listdb.cgi?list_id=8663&action=preview.

[4] Attorney General of Iowa, A.G. asks Court to Order List Broker to Respond to Telemarketing Fraud Probe, State asks court to order list-broker "Walter Karl, Inc." to cooperate with consumer protection investigation of direct mail and telemarketing schemes, Mar. 3, 2005, available at http://www.state.ia.us/government/ag/latest_news/releases/mar_2005/Walter_Karl.html.

[5] Affidavit of Barbara Blake, Investigator, Office of the Attorney General of Iowa, Mar. 1, 2005, available at http://www.state.ia.us/government/ag/latest_news/releases/mar_2005/Walter%20Karl%20BBlake%20Affidavit%203-1-05.pdf.

EPIC Privacy Page | EPIC Home Page

Last Updated: October 11, 2005
Page URL: http://www.epic.org/privacy/medical/dtcltr10.11.05.html